Passthrough and pihole

broderick · July 22, 2022, 7:56am

Hi,
In order to redirect DNS requests to pihole (or whatever) a few people use the “passthrough” setup in the firewall in place of
the src and dst NAT rules.

Something like this:

/ip/firewall/filter/add action=passthrough log=yes log-prefix=not-going-to-pihole dst-address=!your-pihole-ip protocol=udp port=53

/ip/firewall/filter/add action=passthrough log=yes log-prefix=going-to-pihole dst-address=your-pihole-ip protocol=udp port=53

I don’t know what passthrough is exactly about (never used), but I was wondering if it is as an effective method as the src/dst NAT rules which many of us already use for the same purpose.
Your thought, please.

Thanks

Sob · July 22, 2022, 11:10am

Passthrough = do nothing and continue processing further rules. You just get a counter.

broderick · July 22, 2022, 1:42pm

and in which way these rules can be useful to redirect dns requests?
Thanks

Sob · July 22, 2022, 3:49pm

None. Just for debugging, to see that such packets are coming. And with log=yes, it might as well be action=log instead.

broderick · July 22, 2022, 4:25pm

ah ok. I was looking for a way to redirect dns queries (even hard-coded ones) to pihole without using NAT rules in order to enable pihole to show the devices’IPs which queries come actually from, but it seems that there is no way round it other than using the NAT tricks.

By the way, nothing we can do to catch dns requests made via DoT, isn’t it?
However, a user on reddit talked about using blocklists for DoH servers.
Other ones claim that they blocked port 53 completely (except for pihole), so devices are forced to use the piholes and show up accordingly, which is a bit too much in my opinion.

here is the reddit link to the thread:

https://www.reddit.com/r/pihole/comments/w46spt/be_aware_most_of_your_devices_are_not_respecting/

Thanks